{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35093", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-01T12:56:18.939Z", "datePublished": "2026-04-01T13:54:00.189Z", "dateUpdated": "2026-04-03T13:56:05.343Z"}, "containers": {"cna": {"title": "Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:10"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unknown", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libinput", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35093", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839", "name": "RHBZ#2453839", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"}], "datePublic": "2026-04-01T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-94: Improper Control of Generation of Code ('Code Injection')", "timeline": [{"lang": "en", "time": "2026-04-01T13:31:20.352Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T06:31:23.875Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T13:46:32.320920Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:56:05.343Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35093", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T13:46:32.320920Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:49:57.591Z"}}], "cna": {"title": "Libinput: libinput: unauthorized code execution and information disclosure through lua bytecode plugins", "credits": [{"lang": "en", "value": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/o:redhat:enterprise_linux:10"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 10", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unknown"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "libinput", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-01T13:31:20.352Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-01T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-01T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-35093", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839", "name": "RHBZ#2453839", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T06:31:23.875Z"}, "x_redhatCweChain": "CWE-94: Improper Control of Generation of Code ('Code Injection')"}}, "cveMetadata": {"cveId": "CVE-2026-35093", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:56:05.343Z", "dateReserved": "2026-04-01T12:56:18.939Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-01T13:54:00.189Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."}], "id": "CVE-2026-35093", "lastModified": "2026-04-01T14:23:37.727", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-04-01T14:16:57.443", "references": [{"source": "[email protected]", "url": "https://access.redhat.com/security/cve/CVE-2026-35093"}, {"source": "[email protected]", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839"}, {"source": "[email protected]", "url": "https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "[email protected]", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Koen Tange (monokles.eu) for reporting this issue.", "bugzilla": {"description": "libinput: libinput: Unauthorized code execution and information disclosure through Lua bytecode plugins", "id": "2453839", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453839"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-94", "details": ["A flaw was found in libinput. A local attacker who can place a specially crafted Lua bytecode file in certain system or user configuration directories can bypass security restrictions. This allows the attacker to run unauthorized code with the same permissions as the program using libinput, such as a graphical compositor. This could lead to the attacker monitoring keyboard input and sending that information to an external location."], "name": "CVE-2026-35093", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Affected", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "libinput", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-04-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-35093\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-35093\nhttps://gitlab.freedesktop.org/libinput/libinput/-/work_items/1271"], "statement": "This Important flaw in libinput allows a local attacker to achieve unauthorized code execution and information disclosure. Exploitation requires the attacker to place a specially crafted Lua bytecode file in a system or user configuration directory, and for Lua plugins to be enabled and loaded by the graphical compositor.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Enterprise Linux 10", "source": "cna", "vendor": "Red Hat"}, "product": "enterprise_linux", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T02:27:22.220010+00:00", "value": {"mitigation_remediation": ["Apply the Red\u202fHat security update that contains the libinput fix.", "Confirm that the update has been installed on all RHEL\u202f7,\u202f8,\u202f9, and\u202f10 systems.", "If the update is unavailable or delayed, restrict write permissions on libinput configuration directories to prevent unauthorized Lua bytecode placement.", "Continuously monitor these directories for unexpected Lua bytecode files and audit access logs for suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Code Execution"}, "threat_synthesis": {"affected_systems": "Red\u202fHat Enterprise\u202fLinux\u202f7,\u202f8,\u202f9, and\u202f10 are affected by this libinput flaw; no specific minor version information is available.", "description_and_impact": "A flaw in libinput permits a local attacker with write access to system or user configuration directories to craft a Lua bytecode file that is loaded by libinput. When executed, the bytecode runs with the same privileges as the process that uses libinput, such as a graphical compositor. This enables the attacker to capture and transmit keyboard input, resulting in confidential data leakage. The vulnerability is a code\u2011injection weakness classified as CWE\u201194 and carries a high severity rating of 8.8 on the CVSS scale.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity risk. Exploitation requires local access and the ability to place a Lua bytecode file in a libinput configuration directory, but once achieved the attacker can execute arbitrary code and exfiltrate sensitive input. No publicly available exploit is listed, and the vulnerability is not yet in the CISA KEV catalog. Nonetheless, the potential impact warrants prompt remediation and monitoring."}}}}, "created": "2026-04-02T07:49:08.206068+00:00", "updated": "2026-04-02T20:17:32.877163+00:00", "vendors": ["redhat", "redhat$PRODUCT$enterprise_linux"]}